EU-FOSSA 2 - Free and Open Source Software Auditing

About EU-FOSSA 2

The EU-FOSSA project – short for Free and Open Source Software Auditing – aims to increase the security and integrity of critical open source software. It was launched by the European Commission at the instigation of the European Parliament after the discovery of the Heartbleed bug in 2014.

Following the success of an initial pilot, the project was renewed for another three years. This builds on the pilot project by extending the auditing of free and open source software through:

setting up bug bounty programmes,

organising hackathons and conferences, and

engaging with developer communities.

In addition, EU-FOSSA is expanding its scope to a wider range of software projects and communities. Since the very same software used by the European institutions is also widely deployed in society, we are all already benefiting from these investments.

Hackathons

In 2019 the European Commission has already organised two highly successful hackathons in Brussels. During these weekends filled with coding, knowledge sharing and socialising, the developer groups managed to do work that would have taken them months using their normal communication methods: chat, e-mail and bug tracking systems.

At the same time, the events provided an excellent opportunity for many long-time co-developers to finally meet in person, for senior members to share their wisdom, and to get new people involved in the projects.

The first hackathon took place at the beginning of April and brought together more than 60 people from the Symfony community, mostly from Europe but also from Cuba, Morocco and Russia. Together they managed to address or resolve over 230 issues related to this popular PHP framework.

For the second hackathon, more than 30 developers from six Apache projects (Tomcat, SpamAssassin, Karaf, Camel, PLC4X and Singa) gathered in Brussels in the first weekend of May. Attendees from all over the world including Croatia, Ireland, Poland and Romania, from Russia and the US. The gathering allowed developers from these countries to meet, exchange expertise, and build connections between their projects.

For the European institutions, the hackathons are a great way to support open source development teams whose productions they use themselves, and to strengthen ties between their own developers and these communities. Everything accomplished during these hackathons will also benefit the open source communities at large and open source users in general.

Bug bounties

Bug bounties, which reward people for finding and reporting vulnerabilities existing in free and open source software, are one of the main activities of the EU-FOSSA project. Three bug bounty platforms were selected to organise the hunt for bugs in several critical free and open source software packages used by European institutions.

The programme commenced in January 2019, and so far, several hundreds of vulnerability reports have already been submitted. Taking the bug hunt one step further, an additional 20 percent bonus is awarded to the submitter if the bug is fixed. This stimulates developers also to provide solutions to the issues they find, and so there is a real contribution to software safety.

Public reception and media coverage of the programme have been highly positive.

Community engagement

In addition to specific events and initiatives, the European Commission believes it is important to build more permanent relations with the developer communities from critical open source software. This allows the Commission to learn about topical issues and the needs of each community, and to offer a helping hand where it can.

As part of the EU-FOSSA 2 project, several open source projects and communities have been identified for engagement, and the Commission team is reaching out to them. The goal is to build these relations into recurring conversations.